ClawHub

Telegram Stickers

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill appears to do what it says—create Telegram sticker files—while clearly disclosing local processing, dependencies, and temporary upload behavior for animated stickers.

This skill is reasonable to install if you are comfortable processing selected images locally and, for animated stickers, uploading the generated WebM to tmpfiles.org unless you use --no-upload. Install dependencies from trusted sources and avoid using private images with the default upload path.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

2/65 vendors flagged this skill as malicious, and 63/65 flagged it as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Installing the dependencies may bring in third-party code outside the reviewed skill files.

Why it was flagged

The skill depends on external packages and a system ffmpeg installation, but no pinned versions or install spec are provided. This is normal for an image-processing skill, but users should install dependencies from trusted sources.

Skill content
pip install "rembg[cpu]" Pillow numpy
# ffmpeg with libvpx-vp9 (system-wide install)
Recommendation

Use trusted package repositories, consider a virtual environment, and install a reputable ffmpeg build.

#
ASI05: Unexpected Code Execution
Low
What this means

Running the skill executes local image/video-processing commands on files you provide.

Why it was flagged

The skill invokes ffmpeg via subprocess to encode sticker frames into WebM. This local command execution is central to the stated video-sticker purpose and does not use shell=True.

Skill content
cmd = [
        "ffmpeg", "-y",
        "-framerate", str(fps),
        "-i", str(frames / "frame_%03d.png"),
Recommendation

Run it only on images you intend to process and ensure ffmpeg is installed from a trusted source.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

A generated animated sticker derived from your selected image may be uploaded to a temporary public file-hosting service.

Why it was flagged

Animated sticker output is uploaded to the third-party tmpfiles.org service by default. SKILL.md also discloses this behavior and provides a --no-upload option.

Skill content
urllib.request.Request(
            "https://tmpfiles.org/api/v1/upload",
            data=body,
Recommendation

Use --no-upload if the image or generated sticker is private, sensitive, or should remain local.